Entra ID OIDC (formerly Azure AD)

Learn how to configure a connection to Entra ID via OIDC.

Introduction

Each SSO identity provider requires specific information to create and configure a new SSO connection. Often, the information required to create an SSO connection will differ by identity provider.

To create an Entra ID OIDC SSO connection, you’ll need four pieces of information: a redirect URI, application (client) ID, client secret and discovery endpoint.

Start by logging in to your WorkOS dashboard and navigate to the Organizations page from the left-hand navigation bar.

Select the organization you’d like to configure an Entra ID OIDC SSO connection for, and select Configure manually under Single Sign-On.

WorkOS Dashboard Organizations tab with "Configure manually" button highlighted

Select Entra ID (Azure AD) OIDC from the identity provider dropdown, enter a descriptive name for the connection, click Create Connection.

Create Connection form with Entra ID (Azure AD) OIDC selected as Identity Provider

What WorkOS provides

WorkOS provides the Redirect URI, which can be found in the Service Provider Details section on the SSO connection page in the WorkOS Dashboard.

Redirect URI: The endpoint where identity providers send authentication responses after successful login

The Redirect URI of a OIDC connection in the WorkOS Dashboard.

The Redirect URI is the location an identity provider redirects its authentication response to. In Entra ID’s case, it needs to be set during application registration when configuring your OIDC application, which is outlined in step 1 below.

What you’ll need

You will need to obtain three pieces of information from the organization:

Application (Client) ID: Application identifier from the OIDC provider
Client Secret: Authentication secret for the application
Discovery endpoint: Configuration URL containing OIDC metadata

Normally, this information will come from the organization’s IT Management team when they set up your application’s OIDC configuration in their Entra ID admin center. But, should that not be the case during your setup, the next steps will show you how to obtain it.

1. Register an application

In the left navigation menu, expand the Identity section. Expand the Applications sub-section. Select the App registrations tab. Click New registration.

Microsoft Entra admin center navigation showing Identity > Applications > App registrations

Enter an appropriate app name, such as your organization or application name.

Select one of these Supported account types:

Accounts in this organizational directory only (Default Directory only – Single tenant) (Default)
Accounts in any organizational directory (Any Microsoft Entra ID tenant – Multitenant)

In the Redirect URI field, select the Web option from the dropdown menu. Copy the Redirect URI from the SSO connection page in the WorkOS Dashboard and paste it into the input field.

App registration form with name, supported account types, and redirect URI fields

Click Register.

2. Obtain required configuration details

Now you’ll need to gather three pieces of information from your Entra ID application that will be configured in your WorkOS dashboard: the client ID, client secret, and discovery endpoint. Keep these values handy to input into the WorkOS Dashboard.

Get the client ID

From the application Overview page, copy the Application (client) ID.

Entra ID application Overview page showing Application (client) ID field

Create and retrieve the client secret

Navigate to the Certificates & secrets page. Click New client secret.

Certificates & secrets page with "New client secret" button

Enter an appropriate secret description and select an expiration period. Click Add.

Add a client secret panel with the description, expires at fields highlighted

Copy the newly created client secret Value immediately as it will not be shown again after you navigate away from this page.

Client secret creation form with description field and generated secret value

Get the discovery endpoint

From the application Overview page, click the Endpoints tab.

Entra ID application Overview page with Endpoints tab highlighted

Scroll down to find and copy the OpenID Connect metadata document URL. This is your Discovery Endpoint.

Endpoints list showing OpenID Connect metadata document URL

Update the SSO connection settings

Back in the WorkOS Dashboard on the SSO connection page, enter the client ID, client secret, and discovery endpoint you obtained from Entra ID into the respective fields in the {SSO connection name} Settings section.

WorkOS Dashboard Identity Provider Configuration with Client ID, Client Secret, and Discovery Endpoint fields

Click Update connection to save.

3. Configure token claims

Navigate to the Token configuration page. Click Add optional claim.

Token configuration page with "Add optional claim" button

Select ID token type, and then select the following claims:

email
family_name
given_name

Optional claims dialog with ID token type selected and email, family_name, given_name claims

Click Add. In the pop-up, select Turn on the Microsoft Graph email, profile permission, then click Add.

Add optional claim panel with turn on Microsoft Graph checkbox highlighted

4. Assign users and groups

In the left navigation menu, expand the Identity section. Expand the Applications sub-section. Select the Enterprise applications tab.

Search for your application by name and select it.

Enterprise applications search interface with application list

From the Enterprise application page, select the Users and groups tab. Click Add user/group.

Enterprise application Users and groups tab with "Add user/group" button

Select appropriate users and groups to add to the OIDC application.

User and group assignment interface with selection options and Assign button

When finished, click Assign to add the selected users to your OIDC application.

Add assignment page with Assign button highlighted

5. Role assignment (optional)

With identity provider role assignment, users can receive roles within your application based on their group memberships. Users will automatically be granted the assigned roles within your application when they authenticate. To enable this functionality:

Configure groups claim in Entra ID

From the app registration, navigate to the Token configuration page. Click Add groups claim.

Token configuration page with "Add groups claim" button

In the Group Claims panel, select appropriate groups. For example, you could select Groups assigned to the application to only send groups assigned to the OIDC app in Entra ID. Click Add.

Group Claims configuration panel with group selection options

Configure role assignment in WorkOS

From the SSO connection page in the WorkOS Dashboard, scroll to the Groups and role assignments section.

WorkOS dashboard highlighting create group button

For each group you want to assign a role, click the Create group button and enter the following:

Copy the group id from Entra ID into the IdP ID field.
Optionally, enter a group name into the Name field.
Assign the appropriate role to the group.

WorkOS dashboard with open create group dialog and idp_id, name, and role assignment inputs

Group members without an explicit role will receive the default role.

Next steps

Your Entra ID OIDC connection is now configured and ready to use. Users assigned to the application in Entra ID will be able to authenticate through WorkOS using their Microsoft credentials.

To start using this connection in your application, refer to the SSO guide for implementation details.